Trust architecture and reputation evaluation for internet of things

Trust architecture and reputation evaluation for internet of things
Chen, Juan; Tian, Zhihong; Cui, Xiang; Yin, Lihua; Wang, Xianzhi
2018-06-04 00:00:00
Internet of Things (IoT) represents a fundamental infrastructure and set of techniques that support innovative services in various application domains. Trust management plays an important role in enabling the reliable data collection and mining, context-awareness, and enhanced user security in the IoT. The main tasks of trust management include trust architecture design and reputation evaluation. However, existing trust architectures and reputation evaluation solutions cannot be directly applied to the IoT, due to the large number of physical entities, the limited computation ability of physical entities, and the highly dynamic nature of the network. In comparison, it generally requires a general and flexible architecture to manage trust in such a dynamic environment as IoT. In this paper, we present IoTrust, a trust architecture that integrates Soft Defined Network (SDN) in IoT, and a cross-layer authorization protocol based on IoTrust. IoTrust and the protocol together provide a new insight for research on trust management in the IoT. For trust establishment, we further propose a Behavior-based Reputation Evaluation Scheme for the Node (BES) and an Organization Reputation Evaluation Scheme (ORES). Both our theoretical analysis and simulation results validate the efficiency of BES and ORES. Keywords Internet of things · Sensors · Trust architecture · Reputation evaluation 1 Introduction Since physical entities including readers, tags and vari- ous application servers in IoT need to collaborate with each Internet of Things(IoT) creates a world where physical enti- other, it is important for them to identify the trustworthy ties are seamlessly integrated into information networks partners. to provide advanced and intelligent services for human Despite the wide use of trust protocols for P2P (Chen et al. beings (Alrawais et al. 2017; Guo et al. 2017; Dabbagh 2014; Cho et al. 2012) and ad hoc sensor networks (Ganeriwal and Rayes 2017). The IoT entities generally include sen- et al. 2008; Jiang et al. 2015), there is little work on trust man- sor nodes, RFID tags and wireless communicating devices agement for IoT (Sicari et al. 2015). Reputation is a concept (e.g. readers, mobile phones) connected to the Internet in closely related to trust relations and has been widely used a smart environment (Memos et al. 2017; Sedjelmaci et al. in many knowledge domains ranging from social sciences 2017). The proliferation of IoT greatly empowers people to to digital sciences. In fact, reputation is often seen as one control their lives. Generally, a tag is attached to an object measure by which trust or distrust can be built based on good and can only communicate with a reader nearby. Until now, a or bad past experiences and observations based on collected huge number of readers deployed by business or government referral information. In recent years, the concept of reputa- organizations to provide service for commercial or public tion has proven useful in many areas of research in computer use (Yan et al. 2014). science, particularly in the context of distributed and collab- orative systems where trust and security issues are critical. We summarize the main challenges of trust management for IoT as follows. First, traditional trust management solutions * Zhihong Tian cannot be simply and directly applied to the IoT due to the tianzhihong@gzhu.edu.cn different standards, communication stacks, and weak com- putation ability of entities (Shen et al. 2018; Li et al. 2018; The Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China Gao et al. 2018; Liu et al. 2017). Second, most works about trust in IoT systems are designed for specific applications and Living Analytics Research Centre, Singapore Management University, 80 Stamford Road, Singapore 178902, Singapore Vol.:(0123456789) 1 3 J. Chen et al. therefore cannot be applied to other applications (Chen et al. by the performance evaluation. The simulation is given in 2016; Jayasinghe et al. 2016; Nitti et al. 2014). Third, IoT has Sect. 5. Finally, we conclude the paper in Sect. 6. a huge number of heterogeneous entities with limited storage space and computation resources while existing work does not scale well to accommodate this requirement (Nitti et al. 2014). 2 Related work Fourth, IoT represents a dynamic environment which evolves with new nodes joining and existing nodes leaving. Thus, it There are two approaches for trust in computer networks: requires a flexible infrastructure to allow newly joining nodes the first based on policies. For example, SPINS (Perrig et al. to build up trust quickly with a reasonable degree of accuracy. 2002), develops a trusted network. The second approach is Lastly, they are dependent on specific assumptions such as the based on reputation (Chen et al. 2014; Cho et al. 2012), availability of feedback and known ownership (Hellaoui et al. which is defined as a probability that an agent is trustworthy. 2016; Bernabe et al. 2016). In recent years, the concept of reputation has shown itself We aim to design a scalable and general trust manage- to be useful in many areas of research in computer science par- ment framework for IoT to address the above challenges. To ticularly in the wireless body area networks, cloud computing this end, we first present a general trust architecture inte- (Wu et al. 2016, 2014; Huang et al. 2017), and social networks grating Soft Defined Network (SDN), an emerging technol- (Yuan et al. 2017; Chen et al. 2017; Shen et al. 2015), where ogy that can meet the need of current IoT requirements of interesting issues of trust and security manifest themselves. heterogeneity and flexibility (Kuang et al. 2016). Then, we Despite active research efforts in the related topics (Gan- present a cross-layer authorization protocol based on the eriwal et al. 2008; Jiang et al. 2015), few researchers focus architecture and two reputation evaluation schemes for the on the trust management in the context of the IoT. In fact, node and organization, respectively. In a nutshell, we make reputation is often seen as one measure by which trust or the following contributions in this paper: distrust can be built based on good or bad past experiences and observations (Chen et al. 2016; Raya et al. 2008) or – We present IoTrust, a trust architecture integrating SDN based on collected referral information (Bernabe et al. 2016; for IoT, which consists of the object layer, the node layer, Hellaoui et al. 2016; Jayasinghe et al. 2016). the SDN control layer, the organization layer, and the rep- Chen et al. 2016 proposed a trust management framework utation management layer. Since the SDN control layer for service oriented architecture (SOA) based IoT systems. decouples the control functionality from the data rout- Trust is based on entities’ previous interactions and expe- ing and processing, IoTrust facilitates optimization and riences. It uses distributed collaborative filtering to select configuration of a network in an efficient and automated trust recommendations. It dynamically adjusts the protocol’s manner and provides interoperability among heterogene- parameters for different environments. Also, it considers four ous IoT network. The general and flexible infrastructure types of malicious attacks. Jayasinghe et al. (2016) propose can be applied to various types of applications to solve a novel trust computational model based on three trust met- the scalability issues in a dynamic IOT environment. rics (TMs); Knowledge, Recommendations, and Reputations – We present a cross-layer authorization protocol based on for Social Internet of Things. However, both (Chen et al. IoTrust. Specifically, only the reader authorized by the 2016) and (Jayasinghe et al. 2016) are designed for specific tag related organization can access to the tag. Moreover, applications, e.g. service provision. the reader’s operations on the tag will be recorded for the Jorge (Bernabe et al. 2016) focused on the trust control node’s reputation evaluation. technologies. Hellaoui (Hellaoui et al. 2016) presented an – We present a Behavior-based Reputation Evaluation efficient adaptive security model for the IoT. It allows eval- Scheme for the Node (BES) and an Organization Repu- uating the trust related to the presence of security threats tation Evaluation Scheme (ORES). Based on the node’s and performing, consequently, adaptive security decisions. behavior, BES decides the node’s state by which node’s Both (Hellaoui et al. 2016) and (Bernabe et al. 2016) are reputation is evaluated. Then, ORES evaluates the organ- dependent on specific assumptions, such as feedback must be ization’s reputation based on all its nodes’ current states. available, ownership is known, and so on. Raya et al. (2008) The theoretical analysis supports our simulation results, evaluates data reports with corresponding trust levels using indicating the efficiency of BES and ORES. Bayesian inference. However, Bayesian inference depends on prior knowledge about events which may be unavailable. The rest paper is organized as follows. Section 2 introduces Other related work either does not scale well or falls typical trust management work in IoT. We then present the unsuitable for dynamic Soft-defined IoT network (Nitti et al. soft-defined trust architecture with a cross-layer authoriza- 2014). Thus, trust management for Soft-defined IoT remains tion protocol in Sect. 3. Section 4 proposes reputation evalu- an open issue. ation schemes for node and organization in details followed 1 3 Trust architecture and reputation evaluation for internet of things resources it requires. Moreover, this layer is in charge of pre- 3 Trust architecture with a cross‑layer dicting network traffic and implement mobility management authorization protocol in the IoTrust architecture. Specifically, controllers in this layer should be carefully deployed and designed according to their We first present IoTrust, a trust architecture integrating SDN different functions such as flow scheduling, mobility manage- for IoT according to different functions of entities. Then, ment and so on. The organization layer is composed of differ - a cross-layer authorization protocol is proposed based on ent commercial or government organizations. Each organiza- IoTrust. IoTrust with the cross-layer authorization protocol tion deploys a certain number of nodes to perform operations provides new insights for research on trust-based interac- on tags such as data retrieval. Since IoT is spread across a large tion in IoT. This is because our soft-defined trust architec- area which can not be covered by nodes from one organiza- ture enables trust relationship establishment among highly tion, it is necessary for different organizations and nodes to dynamic entities managed by different organizations. cooperate with each other. However, a malicious node or an organization among good ones can launch different attacks 3.1 IoTrust after the node gains access to the tag, thereby severely damage the network. In order to identify the good nodes and organiza- There are five types of entities: tag-attached objects or tags, tions from malicious ones, reputation is used to measure how nodes, controllers, organizations and the RMC (Reputation good the node or organization is. IoTrust thus evaluates the Management Center). According to the functions of differ - reputation of each node and organization by the reputation ent entities, IoTrust divides the IoT into five layers including evaluation schemes introduced in Sect. 4 by RMC on the top the object layer, the node layer, the SDN control layer, the reputation management layer. The tag related organization will organization layer and the reputation management layer. Fig- grant the authorization to the good node which receives an ure 1 shows the bottom object layer consists of a large number operation request from good organization. The authorization of moving tag-attached objects. Before joining the IoT, each protocol will be introduced in the following subsection. tag or object must choose and then register with an organiza- tion. This layer is the data source. Above the object layer is 3.2 Cross‑layer authorization protocol the node layer which consists of different kind of nodes such as readers, sensors and so on. This layer manages data col- The cross-layer authorization protocol is used to authorize lection from the object layer. Specifically, nodes retrieve data the good node to access to the tag. The node can interact from nearby tags and then return the required results to the with the tag directly if it stays within the tag’s communica- organization layer. The SDN control layer lies between the tion range. Note that only the node authorized by the tag node layer and the organization layer. This layer can program related organization can be trusted by the tag. Therefore, the bottom node network to react differently depending on before accessing to the tag, the node must obtain the author- the nature of the node, its potential for maliciousness, and the ization from the tag related organization. The tag related organization decides whether or not to authorize the node’s access according to the node’s reputation and the user reg- istered organization’s reputation. The reputation evaluation for nodes and organizations will be introduced in Sect. 4. The main idea of the cross-layer authorization protocol is shown in Fig. 2. Specifically, the cross-layer authorization protocol performs the following nine steps. 1. The user sends a request to the user related organization O for the specified operation on a tag-attached object known as the target tag. 2. The organization O sends the request message INFO_REQ = < ID , ID , O > which will then be U T per broadcasted to the node layer, where ID , ID and O U T per stand for the ID of O , the ID of the target tag T and the requested operation. 3. The node R which discovers that the target tag T stays within its communication range is the target node. R will send INFO_REQ to T for accessing request. Fig. 1 Five-layer IoTrust architecture 1 3 J. Chen et al. attacked node from a node in temporary breakdown. Therefore, we choose the RMC with powerful energy and computational ability to identify the attacked node according to its reputation. Each node’s repu- tation is determined by its previous behavior such as its operations on different tags. 4 Reputation evaluation schemes For safety consideration, attacked nodes must be identified and then prevented from accessing to the tag. Different from unattacked nodes, attacked nodes usually perform a mali- cious behavior. So, we identify an attacked node according to its behavior which is measured by its reputation. We then propose a Behavior-based reputation Evaluation Scheme (BES) for nodes in Sect. 4.1. Furthermore, an Organization Reputation Evaluation Scheme (ORES) will be introduced in the following Sect. 4.2. 4.1 Behavior‑based reputation evaluation scheme for nodes Fig. 2 Cross-layer authorization process Based on the node’s behavior, BES decides the node’s state by which node’s reputation is evaluated (See Fig. 3). Firstly, 4. The tag T replies R with an authorization request mes- tag T in the object layer records evidence ED which includes sage AUTH_REQ including ID and ID , where ID the operations performed by reader R. Then, when interact- T OT OT is the ID of the tag-related organization. ing with the next node, T will include ED as part of the 5. Target node R sends AUTH_REQ to O through the node message which will be sent to O by the node. After that, O T T layer and SDN control layer. determines and then submits R’s behaviors to RMC. Finally, 6. The tag related organization O interacts with the RMC RMC updates R’s reputation by R’s state which can be deter- to obtain R’s and O ’s reputation. Specifically, O sends mined by R’s behaviors at regular intervals. In all, the node U T the REPU_REQ to the RMC for reputation request. reputation evaluation process includes node behavior veri- 7. RMC replies O with the message REPU_REP including fication, node state verification, and node reputation evalu- R’s and O ’s reput ation. ation. Specifically, BES consists the following three steps as 8. The organization O determines whether R should be described in Algorithm 1. granted access to T. If both R’s reputation and O ’ s repu- tation meet O ’s requirements, O gives R the authori- – Node’s behavior determination based on evidence T T zation and responses R with an authorization message Before performing operations on a tag T, the node R AUTH_REP. must be authorized by the tag’s organization O . Thus, 9. After being authorized, R can perform operations on T. R sends an authorization request message AUTH_REQ to O . Once being authorized, the node can have the right – Once authorized, R can perform either a good or a to do the operation on the tag. When the operation is malicious operation. For safety consideration, the completed, the tag will generate an evidence ED which attacked nodes that often perform malicious opera- is used to record the operation of the node. Specifically, tions should be prevented from accessing to tags. ED=< ID , OP, seq, rand > where ID is the ID of the R R However, it is difficult for a tag to defend against node. ’OP’ is the performed operation such as reading, the attacked node. On the one hand, a tag usually writing or deleting data. ’rand’ is a random number gen- has limited energy. On the other hand, a malicious erated by the tag. ’seq’ is a sequence number which is operation may be performed by either an attacked initialized to 1 and will be increased by one after each node or (occasionally) an unattacked node in case of operation. When the tag is requested by the next node R’, a temporary breakdown as it is impractical for a tag ED will then be sent to the tag’s organization O by R’ with limited computation capability to identify an as part of AUTH_REQ=< ID , ID , OP , ED,𝜑> . Spe- T R 1 3 Trust architecture and reputation evaluation for internet of things Table 1 Node state based on its Behavior State major behavior Normal Good Fault Temporary break- down Malicious Attacked Obviously, R’s malicious behavior can be captured accurately since each operation executed by R will be sent to O . – Node’s state determination RMC will determine node R’s state according to the ’Major Behavior’ during a fixed period of time since RMC can obtain each behavior of R from different organizations. The ’Major Behavior’ is the behavior which occurs most frequently. For example, if the normal, fault and malicious behavior occur 2,4 and 6 times during 10 min, the ’Major Behavior’ is malicious. We then have that the state of R is Attacked according to Table 1. – Node’s reputation evaluation After obtaining the state of R, namely P , RMC will compute R’s reputation p R R according to Algorithm 1. Specifically, if R is in a good state, P will be updated to the maximum reputation value p , where p is the initialization reputation value 0 0 of a node; otherwise, if R is being temporarily breakdown or attacked, P will be reduced to ∗ p or the lowest R 0 value 0. The parameter is an impact factor affecting the reputation of breakdown node, where 0 <𝛼 ≤ 1. Fig. 3 Three steps for node reputation evaluation cifically, =E (H(ED)) which is obtained by first hash- ing ED as H(ED) and then encrypting H(ED) by key k, where k is the symmetric key shared by T and O . Once receiving AUTH_REQ , O will verify by calculating E (H(ED)) firstly and then comparing E (H(ED)) with k k the . If the received AUTH_REQ pass the verification, O will obtain R’s operation from ED and determine R’s behavior as follows. 1. Node R performs normal behaivor if it only does operation permitted by O . 2. Node R performs fault behavior if it does unpermit- ted operation probably due to its random breakdown. This kind of fault behavior such as data dropping or injection may not be allowed by O but won’t do 4.2 Organization reputation evaluation scheme harm to T. 3. Node R performs malicious behavior if it does oper- Before joining in the network, an organization requests ation strictly prohibited by O such as complete data for a certificate from RMC and then it can be trusted by wiping. other organizations as well as the RMC. Since the number 1 3 J. Chen et al. of organizations is far less than that of nodes or tags, the – BES and ORES can defend against the modification computation or storage cost for reputation evaluation of attack and protect ED’s integrity and authenticity. This is an organization won’t cause too much burden to RMC. because the organization O can discover ED’s modifica- Specifically, the organization’s reputation Φ will be cal- tion by checking = E (H(ED)) according to Sect. 4.1. culated at regular intervals based on all its nodes’ current – BES and ORES can defend against the replay attack state. Given that there are N nodes deployed by the and thus ED’s freshness is preserved. This is because total organization. The number of good, attacked and break- the replayed ED can be verified if the ’rand’ which is a down nodes are N , N and N . The reputa- unique identifier is a previously used one. good attacked breakdown tion of the organization will be computed according to Eq. – BES and ORES can defend against the message dropping (1). Specifically, Φ is the initialization reputation value attack and ensure the non-repudiation of ED. The organi- of an organization. and are reputation decay factors zation O can verify that ED is discarded if seq ≠ T .seq for an attacked and breakdown node respectively, where +1, where ’seq’ and ’T.seq’ are sequence numbers 0 <𝛽 , 𝜏 ≤ 1 and 𝛽 <𝜏 . included in two consecutive evidences received from the same tag. Φ= N ⧵N + N ⧵N + N ⧵N Φ . good total attacked total breakdown total 0 (1) 4.3 Performance analysis 5 Simulation results We use the detection accuracy of abnormal (malicious and fault) behavior to measure the performance of BES In this section, we apply our trust architecture and reputa- and ORES. In particular, the evidence ED’s protection tion schemes to the IoT system covering over 1000 × 800 level including integrity, authenticity, freshness, and non- m . The system includes one RMC, 3 organizations, 30 repudiation is chosen to measure the detection accuracy of tags and a large number of nodes. In order to be tracked by abnormal behavior. This is because each node’s behavior authorized users, each tag has to register at one organiza- is recorded in each evidence, based on which BES and tion. All tags are moving at a speed of 3 m/s in the network. ORES evaluate the reputation of nodes and organizations. Each organization deploys its own nodes in areas where Therefore, only when the security of the evidence ED is it requests data frequently. The available communication guaranteed, BES and ORES are effective. The evidence distance between a node and a tag is no more than 30 m. will be verified by the tag’s organization as described in The maximum communication distance between two nodes the following Algorithm 2. is 150 m. Both the reputation of an organization and a node are initialized to 1. Figures 4 and 5 show the effect of different node den- sities on the organization reputation evaluated by ORES and Bayes-based method (Raya et al. 2008). Given that the node density is the number of nodes which are able to listen to the communication between a tag and a node on average. We can observe from Fig. 4 how the organization repu- tation changes over time when the node density is low. Each organization deploys and manages 30 nodes and thus the node density is = 0.32. Fifty percent of nodes has been attacked. Both ORES and Bayes-based method evalu- ate the organization reputation by the number of attacked nodes being detected. Then we have that the more accu- rate the detection result is, the more accurate the organi- zation reputation is. It is observed that the organization reputation for ORES decreases over time as the number of detected attacked nodes grows. This is because ORES Specifically, both BES and ORES are capable of thwart- is able to detect the attacked nodes successfully by their ing three types of attacks to ensure the integrity, authentic- malicious behaviors recorded in evidence. That evidence ity, freshness, and non-repudiation of ED according to the will be successfully transmitted to the tag related organiza- following analysis. tion. We can also observe that after a period of time which 1 3 Trust architecture and reputation evaluation for internet of things Fig. 6 The effect of the percentage of attacked nodes Fig. 4 Organization reputation changes over time under low node density detect attacked nodes with a higher probability than the Bayes-based method even in a high node density network. In all, ORES can detect attacked nodes with a higher prob- ability whether in a low or high node density network. We can observe from Fig. 6 how the organization repu- tation changes with different , where is the percentage of attacked nodes. Each organization deploys 100 nodes, each of which is attacked or breakdown. Figure 6 illustrates that the organization reputation decreases over time since more attacked nodes and temporary breakdown nodes have been detected. We can further observe that as decreases, the organization reputation decreases obviously. The results show clearly that the number of attacked nodes has a more Fig. 5 Organization reputation changes over time under high node significant impact on the organization reputation than that density of temporary breakdown nodes. This is because temporary breakdown nodes may recover and can then return to a is 120 s in Fig. 4, the organization reputation for ORES normal state while attacked nodes cannot. Thus, the more becomes stable. After 120 s, all attacked nodes (45 nodes) attacked nodes the organization owns, the lower the organi- have been detected. Different from ORES, the organization zation reputation is. reputation for the Bayes-based method keeps unchanged Figure 7 shows how the moving speed of tags affects the since attacked nodes cannot be detected. In the Bayes- number of detected attacked nodes for BES. In this sim- based method, the communication between a node and a ulation, we set that 30% of the nodes has been attacked. tag can hardly be monitored by another node if nodes are Each organization deploys 100 readers and 5 tags. It can be sparsely deployed. So the node’s behavior (whether good seen from Fig. 7 that the number of attacked nodes being or malicious) during the communication process cannot be detected increases with the growth of the speed of tags. This observed by any other node. It is obvious that ORES out- is because tags can encounter readers frequently and then performs the Bayes-based method with a low node density capture the readers’ behavior with a high possibility if tags deployment. are moving quickly. Figure 5 shows how the organization reputation changes over time when the node density is high. Each organization deploys 100 nodes, 80% of which is attacked. Other param- eters’ setting is the same as Fig. 4. It can be seen that the organization reputation decreases over time for ORES and Bayes-based method overall. Take note that the organiza- tion reputation for Bayes-based fluctuates greatly. This is because ORES can detect each malicious behavior while Bayes-based method cannot. Specifically, for the Bayes- based method, the communication process between a node and a tag will be missed, if no other node within the com- munication range of the node and the tag. Thus, ORES can Fig. 7 The effect of moving speed of the tag 1 3 J. Chen et al. Chen R, Bao F, Chang MJ, Cho J-H (2014) Dynamic trust management 6 Conclusion for delay tolerant networks and its application to secure routing. IEEE Transa Parallel Distrib Syst 25(5):1200–1210 In this paper, we have presented a trust architecture integrat- Chen R, Guo J, Bao F (2016) Trust management for soa-based iot and ing SDN, called IoTrust, with a cross-layer authorization its application to service composition. IEEE Trans Serv Comput 9(3):482–495 protocol. IoTrust can be applied to various types of applica- Chen Z, Peng L, Gao C, Yang B, Chen Y, Li J (2017) Flexible neural tions to solve the scalability issue in an IoT dynamic envi- trees based early stage identification for ip traffic. Soft Comput ronment. In addition, we propose two reputation evaluation 21(8):2035–2046 schemes for node and organization, respectively. Theoreti- Cho JH, Swami A, Chen R (2012) Modeling and analysis of trust man- agement with trust chain optimization in mobile ad hoc networks. cal analysis shows that the proposed reputation evaluation J Netw Comput Appl 35(3):1001–1012 schemes can defend against modification attack, replay Chongzhi G, Xuan L, Shibing X (2018) Cloud-assisted privacy-pre- attack, and message dropping attack and achieve higher serving profile-matching scheme under multiple keys in mobile detection accuracy of attacked nodes. Simulation results social network. Cluster Comput. https ://doi.org/10.1007/s1058 6-017-1649-y support our theoretical analysis and validate the efficiency Dabbagh M, Rayes A (2017) Internet of things security and privacy. of the proposed reputation evaluation schemes. In: Rayes A, Salam S (eds) Internet of things from hype to reality. Our future work includes extension and further valida- Springer, pp195–223 tion of the proposed techniques to address the remaining Ganeriwal S, Balzano LK, Srivastava MB (2008) Reputation-based framework for high integrity sensor networks. ACM Trans Sensor challenges in the trust management for IoT. For example, Netw (TOSN) 4(3):15 we will enhance the proposed model to adapt our reputation Guo J, Chen R, Tsai JJP (2017) A survey of trust computation models architecture and its reputation schemes to other IoT proto- for service management in internet of things systems. Comput cols. Another important research direction is the detection of Commun 97:1–14 Hellaoui H, Bouabdallah A, Koudil M (2016) Tas-iot: trust-based adap- malicious user and organization behaviors. Typically, such a tive security in the iot. In: Local Computer Networks (LCN), 2016 malicious behavior could be the collusion across those enti- IEEE 41st Conference on ties with the aim of generating fake reputation values for a Huang H, Guo S, Wu J, Li J (2017) Service chaining for hybrid network targeted node. Other promising directions include designing function. IEEE Trans Cloud Comput. https ://ieeex plore .ieee.org/ docum ent/79621 78/ a mechanism for managing reputation for RMC and explor- Jayasinghe U, Truong NB, Lee GM, Um T-W (2016) Rpr: a trust com- ing how variations in the presence ratio of ill-behaved and putation model for social internet of things. In: Ubiquitous intel- well-behaved entities would lead to a notion of reputation ligence & computing, advanced and trusted computing, scalable reflecting the wider system. computing and communications, cloud and big data computing, internet of people, and smart world congress (UIC/ATC/ScalCom/ CBDCom/IoP/SmartWorld, 2016 Intl IEEE Conferences Acknowledgements This research is supported in part by the Natu- Jiang J, Han G, Wang F, Shu L, Guizani M (2015) An efficient distrib- ral Science Foundation of China under Grants No. 61572153 and No. uted trust model for wireless sensor networks. IEEE Trans Parallel 61702223; by Scientific Research Staring Foundation for the Ph.D. in Distrib Syst 26(5):1228–1237 Liaoning Province No. 201601081; by Scientific Research Projects Kuang L, Yang LT, Qiu K (2016) Tensor-based software-defined inter - from Education Department in Liaoning Province No. L2015056. net of things. IEEE Wirel Commun 23(5):84–89 Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data Compliance with ethical standards sharing for resource-limited users in cloud computing. Comput Secur 72:1–12 Conflict of interest The authors declare that they have no conflict of Liu Q, Wang G, Li F, Yang S, Jie W (2017) Preserving privacy with interest. probabilistic indistinguishability in weighted social networks. IEEE Trans Parallel Distrib Syst 28(5):1417–1429 Memos VA, Psannis KE, Ishibashi Y, Kim B-G, Gupta BB (2017) An Open Access This article is distributed under the terms of the Crea- efficient algorithm for media-based surveillance system (eamsus) tive Commons Attribution 4.0 International License (http://creat iveco in iot smart city framework. Future Gen Comput Syst 83:619–628 mmons.or g/licenses/b y/4.0/), which permits unrestricted use, distribu- Nitti M, Girau R, Atzori L (2014) Trustworthiness management tion, and reproduction in any medium, provided you give appropriate in the social internet of things. IEEE Trans Knowl Data Eng credit to the original author(s) and the source, provide a link to the 26(5):1253–1266 Creative Commons license, and indicate if changes were made. Perrig A, Szewczyk R, Tygar JD, Wen V, Culler DE (2002) Spins: secu- rity protocols for sensor networks. Wireless Netw 8(5):521–534 Raya M, Papadimitratos P, Gligor VD, Hubaux J-P (2008) On data- centric trust establishment in ephemeral ad hoc networks. In: References INFOCOM 2008. The 34th Conference on Computer Commu- nications. IEEE Alrawais A, Alhothaily A, Hu C, Cheng X (2017) Fog computing for Sedjelmaci Hichem, Senouci SM, Taleb T (2017) An accurate secu- the internet of things: security and privacy issues. IEEE Internet rity game for low-resource iot devices. IEEE Trans Vehr Technol Comput 21(2):34–42 66(10):9381–9393 Bernabe JB, Ramos JLH, Gomez AFS (2016) Taciot: multidimensional Shen H, Gao C, He D, Wu L (2015) New biometrics-based authenti- trust-aware access control system for the internet of things. Soft cation scheme for multi-server environment in critical systems. J Comput 20(5):1763–1779 Ambient Intell Hum Comput 6(6):825–834 1 3 Trust architecture and reputation evaluation for internet of things Shen J, Gui Z, Ji S, Shen J, Tan H, Tang Y (2018) Cloud-aided light- Yan Z, Zhang P, Vasilakos AV (2014) A survey on trust management weight certificateless authentication protocol with anonymity for for internet of things. J Netw Comput Appl 42:120–134 wireless body area networks. J Netw Comput Appl 106:117–123 Yuan C, Li X, Wu QMJ, Li J, Sun X (2017) Fingerprint liveness detec- Sicari S, Rizzardi A, Grieco LA, Coen-Porisini L (2015) Security, tion from different fingerprint materials using convolutional neural privacy and trust in internet of things: the road ahead (2015). network and principal component analysis. 53(4):357–372. http:// Comput Netw 76:146–164www.techs cienc e.com/doi/10.3970/cmc.2017.053.357.pdf Wu J, Igor B, Chris G, Hossain E, Massimo V, Haibo L (2014) Context- aware networking and communications: : part 1 [guest editorial]. Publisher’s Note Springer Nature remains neutral with regard to IEEE Commun Mag 52(6):14–15 jurisdictional claims in published maps and institutional affiliations. Wu J, Song G, Jie L, Deze Z (2016) Big data meet green challenges: big data toward green applications. IEEE Syst J 10(3):888–900 1 3
http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.pngJournal of Ambient Intelligence and Humanized ComputingSpringer Journalshttp://www.deepdyve.com/lp/springer-journals/trust-architecture-and-reputation-evaluation-for-internet-of-things-IEbH0sXJZp

Abstract

Internet of Things (IoT) represents a fundamental infrastructure and set of techniques that support innovative services in various application domains. Trust management plays an important role in enabling the reliable data collection and mining, context-awareness, and enhanced user security in the IoT. The main tasks of trust management include trust architecture design and reputation evaluation. However, existing trust architectures and reputation evaluation solutions cannot be directly applied to the IoT, due to the large number of physical entities, the limited computation ability of physical entities, and the highly dynamic nature of the network. In comparison, it generally requires a general and flexible architecture to manage trust in such a dynamic environment as IoT. In this paper, we present IoTrust, a trust architecture that integrates Soft Defined Network (SDN) in IoT, and a cross-layer authorization protocol based on IoTrust. IoTrust and the protocol together provide a new insight for research on trust management in the IoT. For trust establishment, we further propose a Behavior-based Reputation Evaluation Scheme for the Node (BES) and an Organization Reputation Evaluation Scheme (ORES). Both our theoretical analysis and simulation results validate the efficiency of BES and ORES. Keywords Internet of things · Sensors · Trust architecture · Reputation evaluation 1 Introduction Since physical entities including readers, tags and vari- ous application servers in IoT need to collaborate with each Internet of Things(IoT) creates a world where physical enti- other, it is important for them to identify the trustworthy ties are seamlessly integrated into information networks partners. to provide advanced and intelligent services for human Despite the wide use of trust protocols for P2P (Chen et al. beings (Alrawais et al. 2017; Guo et al. 2017; Dabbagh 2014; Cho et al. 2012) and ad hoc sensor networks (Ganeriwal and Rayes 2017). The IoT entities generally include sen- et al. 2008; Jiang et al. 2015), there is little work on trust man- sor nodes, RFID tags and wireless communicating devices agement for IoT (Sicari et al. 2015). Reputation is a concept (e.g. readers, mobile phones) connected to the Internet in closely related to trust relations and has been widely used a smart environment (Memos et al. 2017; Sedjelmaci et al. in many knowledge domains ranging from social sciences 2017). The proliferation of IoT greatly empowers people to to digital sciences. In fact, reputation is often seen as one control their lives. Generally, a tag is attached to an object measure by which trust or distrust can be built based on good and can only communicate with a reader nearby. Until now, a or bad past experiences and observations based on collected huge number of readers deployed by business or government referral information. In recent years, the concept of reputa- organizations to provide service for commercial or public tion has proven useful in many areas of research in computer use (Yan et al. 2014). science, particularly in the context of distributed and collab- orative systems where trust and security issues are critical. We summarize the main challenges of trust management for IoT as follows. First, traditional trust management solutions * Zhihong Tian cannot be simply and directly applied to the IoT due to the tianzhihong@gzhu.edu.cn different standards, communication stacks, and weak com- putation ability of entities (Shen et al. 2018; Li et al. 2018; The Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China Gao et al. 2018; Liu et al. 2017). Second, most works about trust in IoT systems are designed for specific applications and Living Analytics Research Centre, Singapore Management University, 80 Stamford Road, Singapore 178902, Singapore Vol.:(0123456789) 1 3 J. Chen et al. therefore cannot be applied to other applications (Chen et al. by the performance evaluation. The simulation is given in 2016; Jayasinghe et al. 2016; Nitti et al. 2014). Third, IoT has Sect. 5. Finally, we conclude the paper in Sect. 6. a huge number of heterogeneous entities with limited storage space and computation resources while existing work does not scale well to accommodate this requirement (Nitti et al. 2014). 2 Related work Fourth, IoT represents a dynamic environment which evolves with new nodes joining and existing nodes leaving. Thus, it There are two approaches for trust in computer networks: requires a flexible infrastructure to allow newly joining nodes the first based on policies. For example, SPINS (Perrig et al. to build up trust quickly with a reasonable degree of accuracy. 2002), develops a trusted network. The second approach is Lastly, they are dependent on specific assumptions such as the based on reputation (Chen et al. 2014; Cho et al. 2012), availability of feedback and known ownership (Hellaoui et al. which is defined as a probability that an agent is trustworthy. 2016; Bernabe et al. 2016). In recent years, the concept of reputation has shown itself We aim to design a scalable and general trust manage- to be useful in many areas of research in computer science par- ment framework for IoT to address the above challenges. To ticularly in the wireless body area networks, cloud computing this end, we first present a general trust architecture inte- (Wu et al. 2016, 2014; Huang et al. 2017), and social networks grating Soft Defined Network (SDN), an emerging technol- (Yuan et al. 2017; Chen et al. 2017; Shen et al. 2015), where ogy that can meet the need of current IoT requirements of interesting issues of trust and security manifest themselves. heterogeneity and flexibility (Kuang et al. 2016). Then, we Despite active research efforts in the related topics (Gan- present a cross-layer authorization protocol based on the eriwal et al. 2008; Jiang et al. 2015), few researchers focus architecture and two reputation evaluation schemes for the on the trust management in the context of the IoT. In fact, node and organization, respectively. In a nutshell, we make reputation is often seen as one measure by which trust or the following contributions in this paper: distrust can be built based on good or bad past experiences and observations (Chen et al. 2016; Raya et al. 2008) or – We present IoTrust, a trust architecture integrating SDN based on collected referral information (Bernabe et al. 2016; for IoT, which consists of the object layer, the node layer, Hellaoui et al. 2016; Jayasinghe et al. 2016). the SDN control layer, the organization layer, and the rep- Chen et al. 2016 proposed a trust management framework utation management layer. Since the SDN control layer for service oriented architecture (SOA) based IoT systems. decouples the control functionality from the data rout- Trust is based on entities’ previous interactions and expe- ing and processing, IoTrust facilitates optimization and riences. It uses distributed collaborative filtering to select configuration of a network in an efficient and automated trust recommendations. It dynamically adjusts the protocol’s manner and provides interoperability among heterogene- parameters for different environments. Also, it considers four ous IoT network. The general and flexible infrastructure types of malicious attacks. Jayasinghe et al. (2016) propose can be applied to various types of applications to solve a novel trust computational model based on three trust met- the scalability issues in a dynamic IOT environment. rics (TMs); Knowledge, Recommendations, and Reputations – We present a cross-layer authorization protocol based on for Social Internet of Things. However, both (Chen et al. IoTrust. Specifically, only the reader authorized by the 2016) and (Jayasinghe et al. 2016) are designed for specific tag related organization can access to the tag. Moreover, applications, e.g. service provision. the reader’s operations on the tag will be recorded for the Jorge (Bernabe et al. 2016) focused on the trust control node’s reputation evaluation. technologies. Hellaoui (Hellaoui et al. 2016) presented an – We present a Behavior-based Reputation Evaluation efficient adaptive security model for the IoT. It allows eval- Scheme for the Node (BES) and an Organization Repu- uating the trust related to the presence of security threats tation Evaluation Scheme (ORES). Based on the node’s and performing, consequently, adaptive security decisions. behavior, BES decides the node’s state by which node’s Both (Hellaoui et al. 2016) and (Bernabe et al. 2016) are reputation is evaluated. Then, ORES evaluates the organ- dependent on specific assumptions, such as feedback must be ization’s reputation based on all its nodes’ current states. available, ownership is known, and so on. Raya et al. (2008) The theoretical analysis supports our simulation results, evaluates data reports with corresponding trust levels using indicating the efficiency of BES and ORES. Bayesian inference. However, Bayesian inference depends on prior knowledge about events which may be unavailable. The rest paper is organized as follows. Section 2 introduces Other related work either does not scale well or falls typical trust management work in IoT. We then present the unsuitable for dynamic Soft-defined IoT network (Nitti et al. soft-defined trust architecture with a cross-layer authoriza- 2014). Thus, trust management for Soft-defined IoT remains tion protocol in Sect. 3. Section 4 proposes reputation evalu- an open issue. ation schemes for node and organization in details followed 1 3 Trust architecture and reputation evaluation for internet of things resources it requires. Moreover, this layer is in charge of pre- 3 Trust architecture with a cross‑layer dicting network traffic and implement mobility management authorization protocol in the IoTrust architecture. Specifically, controllers in this layer should be carefully deployed and designed according to their We first present IoTrust, a trust architecture integrating SDN different functions such as flow scheduling, mobility manage- for IoT according to different functions of entities. Then, ment and so on. The organization layer is composed of differ - a cross-layer authorization protocol is proposed based on ent commercial or government organizations. Each organiza- IoTrust. IoTrust with the cross-layer authorization protocol tion deploys a certain number of nodes to perform operations provides new insights for research on trust-based interac- on tags such as data retrieval. Since IoT is spread across a large tion in IoT. This is because our soft-defined trust architec- area which can not be covered by nodes from one organiza- ture enables trust relationship establishment among highly tion, it is necessary for different organizations and nodes to dynamic entities managed by different organizations. cooperate with each other. However, a malicious node or an organization among good ones can launch different attacks 3.1 IoTrust after the node gains access to the tag, thereby severely damage the network. In order to identify the good nodes and organiza- There are five types of entities: tag-attached objects or tags, tions from malicious ones, reputation is used to measure how nodes, controllers, organizations and the RMC (Reputation good the node or organization is. IoTrust thus evaluates the Management Center). According to the functions of differ - reputation of each node and organization by the reputation ent entities, IoTrust divides the IoT into five layers including evaluation schemes introduced in Sect. 4 by RMC on the top the object layer, the node layer, the SDN control layer, the reputation management layer. The tag related organization will organization layer and the reputation management layer. Fig- grant the authorization to the good node which receives an ure 1 shows the bottom object layer consists of a large number operation request from good organization. The authorization of moving tag-attached objects. Before joining the IoT, each protocol will be introduced in the following subsection. tag or object must choose and then register with an organiza- tion. This layer is the data source. Above the object layer is 3.2 Cross‑layer authorization protocol the node layer which consists of different kind of nodes such as readers, sensors and so on. This layer manages data col- The cross-layer authorization protocol is used to authorize lection from the object layer. Specifically, nodes retrieve data the good node to access to the tag. The node can interact from nearby tags and then return the required results to the with the tag directly if it stays within the tag’s communica- organization layer. The SDN control layer lies between the tion range. Note that only the node authorized by the tag node layer and the organization layer. This layer can program related organization can be trusted by the tag. Therefore, the bottom node network to react differently depending on before accessing to the tag, the node must obtain the author- the nature of the node, its potential for maliciousness, and the ization from the tag related organization. The tag related organization decides whether or not to authorize the node’s access according to the node’s reputation and the user reg- istered organization’s reputation. The reputation evaluation for nodes and organizations will be introduced in Sect. 4. The main idea of the cross-layer authorization protocol is shown in Fig. 2. Specifically, the cross-layer authorization protocol performs the following nine steps. 1. The user sends a request to the user related organization O for the specified operation on a tag-attached object known as the target tag. 2. The organization O sends the request message INFO_REQ = < ID , ID , O > which will then be U T per broadcasted to the node layer, where ID , ID and O U T per stand for the ID of O , the ID of the target tag T and the requested operation. 3. The node R which discovers that the target tag T stays within its communication range is the target node. R will send INFO_REQ to T for accessing request. Fig. 1 Five-layer IoTrust architecture 1 3 J. Chen et al. attacked node from a node in temporary breakdown. Therefore, we choose the RMC with powerful energy and computational ability to identify the attacked node according to its reputation. Each node’s repu- tation is determined by its previous behavior such as its operations on different tags. 4 Reputation evaluation schemes For safety consideration, attacked nodes must be identified and then prevented from accessing to the tag. Different from unattacked nodes, attacked nodes usually perform a mali- cious behavior. So, we identify an attacked node according to its behavior which is measured by its reputation. We then propose a Behavior-based reputation Evaluation Scheme (BES) for nodes in Sect. 4.1. Furthermore, an Organization Reputation Evaluation Scheme (ORES) will be introduced in the following Sect. 4.2. 4.1 Behavior‑based reputation evaluation scheme for nodes Fig. 2 Cross-layer authorization process Based on the node’s behavior, BES decides the node’s state by which node’s reputation is evaluated (See Fig. 3). Firstly, 4. The tag T replies R with an authorization request mes- tag T in the object layer records evidence ED which includes sage AUTH_REQ including ID and ID , where ID the operations performed by reader R. Then, when interact- T OT OT is the ID of the tag-related organization. ing with the next node, T will include ED as part of the 5. Target node R sends AUTH_REQ to O through the node message which will be sent to O by the node. After that, O T T layer and SDN control layer. determines and then submits R’s behaviors to RMC. Finally, 6. The tag related organization O interacts with the RMC RMC updates R’s reputation by R’s state which can be deter- to obtain R’s and O ’s reputation. Specifically, O sends mined by R’s behaviors at regular intervals. In all, the node U T the REPU_REQ to the RMC for reputation request. reputation evaluation process includes node behavior veri- 7. RMC replies O with the message REPU_REP including fication, node state verification, and node reputation evalu- R’s and O ’s reput ation. ation. Specifically, BES consists the following three steps as 8. The organization O determines whether R should be described in Algorithm 1. granted access to T. If both R’s reputation and O ’ s repu- tation meet O ’s requirements, O gives R the authori- – Node’s behavior determination based on evidence T T zation and responses R with an authorization message Before performing operations on a tag T, the node R AUTH_REP. must be authorized by the tag’s organization O . Thus, 9. After being authorized, R can perform operations on T. R sends an authorization request message AUTH_REQ to O . Once being authorized, the node can have the right – Once authorized, R can perform either a good or a to do the operation on the tag. When the operation is malicious operation. For safety consideration, the completed, the tag will generate an evidence ED which attacked nodes that often perform malicious opera- is used to record the operation of the node. Specifically, tions should be prevented from accessing to tags. ED=< ID , OP, seq, rand > where ID is the ID of the R R However, it is difficult for a tag to defend against node. ’OP’ is the performed operation such as reading, the attacked node. On the one hand, a tag usually writing or deleting data. ’rand’ is a random number gen- has limited energy. On the other hand, a malicious erated by the tag. ’seq’ is a sequence number which is operation may be performed by either an attacked initialized to 1 and will be increased by one after each node or (occasionally) an unattacked node in case of operation. When the tag is requested by the next node R’, a temporary breakdown as it is impractical for a tag ED will then be sent to the tag’s organization O by R’ with limited computation capability to identify an as part of AUTH_REQ=< ID , ID , OP , ED,𝜑> . Spe- T R 1 3 Trust architecture and reputation evaluation for internet of things Table 1 Node state based on its Behavior State major behavior Normal Good Fault Temporary break- down Malicious Attacked Obviously, R’s malicious behavior can be captured accurately since each operation executed by R will be sent to O . – Node’s state determination RMC will determine node R’s state according to the ’Major Behavior’ during a fixed period of time since RMC can obtain each behavior of R from different organizations. The ’Major Behavior’ is the behavior which occurs most frequently. For example, if the normal, fault and malicious behavior occur 2,4 and 6 times during 10 min, the ’Major Behavior’ is malicious. We then have that the state of R is Attacked according to Table 1. – Node’s reputation evaluation After obtaining the state of R, namely P , RMC will compute R’s reputation p R R according to Algorithm 1. Specifically, if R is in a good state, P will be updated to the maximum reputation value p , where p is the initialization reputation value 0 0 of a node; otherwise, if R is being temporarily breakdown or attacked, P will be reduced to ∗ p or the lowest R 0 value 0. The parameter is an impact factor affecting the reputation of breakdown node, where 0 <𝛼 ≤ 1. Fig. 3 Three steps for node reputation evaluation cifically, =E (H(ED)) which is obtained by first hash- ing ED as H(ED) and then encrypting H(ED) by key k, where k is the symmetric key shared by T and O . Once receiving AUTH_REQ , O will verify by calculating E (H(ED)) firstly and then comparing E (H(ED)) with k k the . If the received AUTH_REQ pass the verification, O will obtain R’s operation from ED and determine R’s behavior as follows. 1. Node R performs normal behaivor if it only does operation permitted by O . 2. Node R performs fault behavior if it does unpermit- ted operation probably due to its random breakdown. This kind of fault behavior such as data dropping or injection may not be allowed by O but won’t do 4.2 Organization reputation evaluation scheme harm to T. 3. Node R performs malicious behavior if it does oper- Before joining in the network, an organization requests ation strictly prohibited by O such as complete data for a certificate from RMC and then it can be trusted by wiping. other organizations as well as the RMC. Since the number 1 3 J. Chen et al. of organizations is far less than that of nodes or tags, the – BES and ORES can defend against the modification computation or storage cost for reputation evaluation of attack and protect ED’s integrity and authenticity. This is an organization won’t cause too much burden to RMC. because the organization O can discover ED’s modifica- Specifically, the organization’s reputation Φ will be cal- tion by checking = E (H(ED)) according to Sect. 4.1. culated at regular intervals based on all its nodes’ current – BES and ORES can defend against the replay attack state. Given that there are N nodes deployed by the and thus ED’s freshness is preserved. This is because total organization. The number of good, attacked and break- the replayed ED can be verified if the ’rand’ which is a down nodes are N , N and N . The reputa- unique identifier is a previously used one. good attacked breakdown tion of the organization will be computed according to Eq. – BES and ORES can defend against the message dropping (1). Specifically, Φ is the initialization reputation value attack and ensure the non-repudiation of ED. The organi- of an organization. and are reputation decay factors zation O can verify that ED is discarded if seq ≠ T .seq for an attacked and breakdown node respectively, where +1, where ’seq’ and ’T.seq’ are sequence numbers 0 <𝛽 , 𝜏 ≤ 1 and 𝛽 <𝜏 . included in two consecutive evidences received from the same tag. Φ= N ⧵N + N ⧵N + N ⧵N Φ . good total attacked total breakdown total 0 (1) 4.3 Performance analysis 5 Simulation results We use the detection accuracy of abnormal (malicious and fault) behavior to measure the performance of BES In this section, we apply our trust architecture and reputa- and ORES. In particular, the evidence ED’s protection tion schemes to the IoT system covering over 1000 × 800 level including integrity, authenticity, freshness, and non- m . The system includes one RMC, 3 organizations, 30 repudiation is chosen to measure the detection accuracy of tags and a large number of nodes. In order to be tracked by abnormal behavior. This is because each node’s behavior authorized users, each tag has to register at one organiza- is recorded in each evidence, based on which BES and tion. All tags are moving at a speed of 3 m/s in the network. ORES evaluate the reputation of nodes and organizations. Each organization deploys its own nodes in areas where Therefore, only when the security of the evidence ED is it requests data frequently. The available communication guaranteed, BES and ORES are effective. The evidence distance between a node and a tag is no more than 30 m. will be verified by the tag’s organization as described in The maximum communication distance between two nodes the following Algorithm 2. is 150 m. Both the reputation of an organization and a node are initialized to 1. Figures 4 and 5 show the effect of different node den- sities on the organization reputation evaluated by ORES and Bayes-based method (Raya et al. 2008). Given that the node density is the number of nodes which are able to listen to the communication between a tag and a node on average. We can observe from Fig. 4 how the organization repu- tation changes over time when the node density is low. Each organization deploys and manages 30 nodes and thus the node density is = 0.32. Fifty percent of nodes has been attacked. Both ORES and Bayes-based method evalu- ate the organization reputation by the number of attacked nodes being detected. Then we have that the more accu- rate the detection result is, the more accurate the organi- zation reputation is. It is observed that the organization reputation for ORES decreases over time as the number of detected attacked nodes grows. This is because ORES Specifically, both BES and ORES are capable of thwart- is able to detect the attacked nodes successfully by their ing three types of attacks to ensure the integrity, authentic- malicious behaviors recorded in evidence. That evidence ity, freshness, and non-repudiation of ED according to the will be successfully transmitted to the tag related organiza- following analysis. tion. We can also observe that after a period of time which 1 3 Trust architecture and reputation evaluation for internet of things Fig. 6 The effect of the percentage of attacked nodes Fig. 4 Organization reputation changes over time under low node density detect attacked nodes with a higher probability than the Bayes-based method even in a high node density network. In all, ORES can detect attacked nodes with a higher prob- ability whether in a low or high node density network. We can observe from Fig. 6 how the organization repu- tation changes with different , where is the percentage of attacked nodes. Each organization deploys 100 nodes, each of which is attacked or breakdown. Figure 6 illustrates that the organization reputation decreases over time since more attacked nodes and temporary breakdown nodes have been detected. We can further observe that as decreases, the organization reputation decreases obviously. The results show clearly that the number of attacked nodes has a more Fig. 5 Organization reputation changes over time under high node significant impact on the organization reputation than that density of temporary breakdown nodes. This is because temporary breakdown nodes may recover and can then return to a is 120 s in Fig. 4, the organization reputation for ORES normal state while attacked nodes cannot. Thus, the more becomes stable. After 120 s, all attacked nodes (45 nodes) attacked nodes the organization owns, the lower the organi- have been detected. Different from ORES, the organization zation reputation is. reputation for the Bayes-based method keeps unchanged Figure 7 shows how the moving speed of tags affects the since attacked nodes cannot be detected. In the Bayes- number of detected attacked nodes for BES. In this sim- based method, the communication between a node and a ulation, we set that 30% of the nodes has been attacked. tag can hardly be monitored by another node if nodes are Each organization deploys 100 readers and 5 tags. It can be sparsely deployed. So the node’s behavior (whether good seen from Fig. 7 that the number of attacked nodes being or malicious) during the communication process cannot be detected increases with the growth of the speed of tags. This observed by any other node. It is obvious that ORES out- is because tags can encounter readers frequently and then performs the Bayes-based method with a low node density capture the readers’ behavior with a high possibility if tags deployment. are moving quickly. Figure 5 shows how the organization reputation changes over time when the node density is high. Each organization deploys 100 nodes, 80% of which is attacked. Other param- eters’ setting is the same as Fig. 4. It can be seen that the organization reputation decreases over time for ORES and Bayes-based method overall. Take note that the organiza- tion reputation for Bayes-based fluctuates greatly. This is because ORES can detect each malicious behavior while Bayes-based method cannot. Specifically, for the Bayes- based method, the communication process between a node and a tag will be missed, if no other node within the com- munication range of the node and the tag. Thus, ORES can Fig. 7 The effect of moving speed of the tag 1 3 J. Chen et al. Chen R, Bao F, Chang MJ, Cho J-H (2014) Dynamic trust management 6 Conclusion for delay tolerant networks and its application to secure routing. IEEE Transa Parallel Distrib Syst 25(5):1200–1210 In this paper, we have presented a trust architecture integrat- Chen R, Guo J, Bao F (2016) Trust management for soa-based iot and ing SDN, called IoTrust, with a cross-layer authorization its application to service composition. IEEE Trans Serv Comput 9(3):482–495 protocol. IoTrust can be applied to various types of applica- Chen Z, Peng L, Gao C, Yang B, Chen Y, Li J (2017) Flexible neural tions to solve the scalability issue in an IoT dynamic envi- trees based early stage identification for ip traffic. Soft Comput ronment. In addition, we propose two reputation evaluation 21(8):2035–2046 schemes for node and organization, respectively. Theoreti- Cho JH, Swami A, Chen R (2012) Modeling and analysis of trust man- agement with trust chain optimization in mobile ad hoc networks. cal analysis shows that the proposed reputation evaluation J Netw Comput Appl 35(3):1001–1012 schemes can defend against modification attack, replay Chongzhi G, Xuan L, Shibing X (2018) Cloud-assisted privacy-pre- attack, and message dropping attack and achieve higher serving profile-matching scheme under multiple keys in mobile detection accuracy of attacked nodes. Simulation results social network. Cluster Comput. https ://doi.org/10.1007/s1058 6-017-1649-y support our theoretical analysis and validate the efficiency Dabbagh M, Rayes A (2017) Internet of things security and privacy. of the proposed reputation evaluation schemes. In: Rayes A, Salam S (eds) Internet of things from hype to reality. Our future work includes extension and further valida- Springer, pp195–223 tion of the proposed techniques to address the remaining Ganeriwal S, Balzano LK, Srivastava MB (2008) Reputation-based framework for high integrity sensor networks. ACM Trans Sensor challenges in the trust management for IoT. For example, Netw (TOSN) 4(3):15 we will enhance the proposed model to adapt our reputation Guo J, Chen R, Tsai JJP (2017) A survey of trust computation models architecture and its reputation schemes to other IoT proto- for service management in internet of things systems. Comput cols. Another important research direction is the detection of Commun 97:1–14 Hellaoui H, Bouabdallah A, Koudil M (2016) Tas-iot: trust-based adap- malicious user and organization behaviors. Typically, such a tive security in the iot. In: Local Computer Networks (LCN), 2016 malicious behavior could be the collusion across those enti- IEEE 41st Conference on ties with the aim of generating fake reputation values for a Huang H, Guo S, Wu J, Li J (2017) Service chaining for hybrid network targeted node. Other promising directions include designing function. IEEE Trans Cloud Comput. https ://ieeex plore .ieee.org/ docum ent/79621 78/ a mechanism for managing reputation for RMC and explor- Jayasinghe U, Truong NB, Lee GM, Um T-W (2016) Rpr: a trust com- ing how variations in the presence ratio of ill-behaved and putation model for social internet of things. In: Ubiquitous intel- well-behaved entities would lead to a notion of reputation ligence & computing, advanced and trusted computing, scalable reflecting the wider system. computing and communications, cloud and big data computing, internet of people, and smart world congress (UIC/ATC/ScalCom/ CBDCom/IoP/SmartWorld, 2016 Intl IEEE Conferences Acknowledgements This research is supported in part by the Natu- Jiang J, Han G, Wang F, Shu L, Guizani M (2015) An efficient distrib- ral Science Foundation of China under Grants No. 61572153 and No. uted trust model for wireless sensor networks. IEEE Trans Parallel 61702223; by Scientific Research Staring Foundation for the Ph.D. in Distrib Syst 26(5):1228–1237 Liaoning Province No. 201601081; by Scientific Research Projects Kuang L, Yang LT, Qiu K (2016) Tensor-based software-defined inter - from Education Department in Liaoning Province No. L2015056. net of things. IEEE Wirel Commun 23(5):84–89 Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data Compliance with ethical standards sharing for resource-limited users in cloud computing. Comput Secur 72:1–12 Conflict of interest The authors declare that they have no conflict of Liu Q, Wang G, Li F, Yang S, Jie W (2017) Preserving privacy with interest. probabilistic indistinguishability in weighted social networks. IEEE Trans Parallel Distrib Syst 28(5):1417–1429 Memos VA, Psannis KE, Ishibashi Y, Kim B-G, Gupta BB (2017) An Open Access This article is distributed under the terms of the Crea- efficient algorithm for media-based surveillance system (eamsus) tive Commons Attribution 4.0 International License (http://creat iveco in iot smart city framework. Future Gen Comput Syst 83:619–628 mmons.or g/licenses/b y/4.0/), which permits unrestricted use, distribu- Nitti M, Girau R, Atzori L (2014) Trustworthiness management tion, and reproduction in any medium, provided you give appropriate in the social internet of things. IEEE Trans Knowl Data Eng credit to the original author(s) and the source, provide a link to the 26(5):1253–1266 Creative Commons license, and indicate if changes were made. Perrig A, Szewczyk R, Tygar JD, Wen V, Culler DE (2002) Spins: secu- rity protocols for sensor networks. Wireless Netw 8(5):521–534 Raya M, Papadimitratos P, Gligor VD, Hubaux J-P (2008) On data- centric trust establishment in ephemeral ad hoc networks. In: References INFOCOM 2008. The 34th Conference on Computer Commu- nications. IEEE Alrawais A, Alhothaily A, Hu C, Cheng X (2017) Fog computing for Sedjelmaci Hichem, Senouci SM, Taleb T (2017) An accurate secu- the internet of things: security and privacy issues. IEEE Internet rity game for low-resource iot devices. IEEE Trans Vehr Technol Comput 21(2):34–42 66(10):9381–9393 Bernabe JB, Ramos JLH, Gomez AFS (2016) Taciot: multidimensional Shen H, Gao C, He D, Wu L (2015) New biometrics-based authenti- trust-aware access control system for the internet of things. Soft cation scheme for multi-server environment in critical systems. J Comput 20(5):1763–1779 Ambient Intell Hum Comput 6(6):825–834 1 3 Trust architecture and reputation evaluation for internet of things Shen J, Gui Z, Ji S, Shen J, Tan H, Tang Y (2018) Cloud-aided light- Yan Z, Zhang P, Vasilakos AV (2014) A survey on trust management weight certificateless authentication protocol with anonymity for for internet of things. J Netw Comput Appl 42:120–134 wireless body area networks. J Netw Comput Appl 106:117–123 Yuan C, Li X, Wu QMJ, Li J, Sun X (2017) Fingerprint liveness detec- Sicari S, Rizzardi A, Grieco LA, Coen-Porisini L (2015) Security, tion from different fingerprint materials using convolutional neural privacy and trust in internet of things: the road ahead (2015). network and principal component analysis. 53(4):357–372. http:// Comput Netw 76:146–164www.techs cienc e.com/doi/10.3970/cmc.2017.053.357.pdf Wu J, Igor B, Chris G, Hossain E, Massimo V, Haibo L (2014) Context- aware networking and communications: : part 1 [guest editorial]. Publisher’s Note Springer Nature remains neutral with regard to IEEE Commun Mag 52(6):14–15 jurisdictional claims in published maps and institutional affiliations. Wu J, Song G, Jie L, Deze Z (2016) Big data meet green challenges: big data toward green applications. IEEE Syst J 10(3):888–900 1 3